diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index f4a291c..aadea0b 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -14,23 +14,11 @@ jobs:
       PROJECT_NAME: ${{ vars.PROJECT_NAME || 'unrip' }}
       PROJECT_NAMESPACE: ${{ vars.PROJECT_NAMESPACE || vars.PROJECT_NAME || 'unrip' }}
       PROJECT_DEPLOYMENTS: ${{ vars.PROJECT_DEPLOYMENTS || 'near-intents-ingest,dummy-reactor,dummy-executor,dummy-consumer' }}
-      BUILDAH_ISOLATION: chroot
-      STORAGE_DRIVER: vfs
+      REPO_CLONE_URL: ${{ github.server_url }}/${{ github.repository }}.git
     steps:
       - name: Install tooling
         run: |
-          apk add --no-cache buildah kubectl netavark aardvark-dns
-
-      - name: Checkout
-        env:
-          REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git
-          REPO_TOKEN: ${{ github.token }}
-        run: |
-          rm -rf .git
-          git init .
-          git remote add origin "https://oauth2:${REPO_TOKEN}@${REPO_URL#https://}"
-          git fetch --depth=1 origin "$GITHUB_SHA"
-          git checkout --detach FETCH_HEAD
+          apk add --no-cache kubectl
 
       - name: Load kubeconfig
         run: |
@@ -38,23 +26,78 @@ jobs:
           printf '%s' '${{ secrets.KUBECONFIG_B64 }}' | base64 -d > "$HOME/.kube/config"
           kubectl get ns
 
-      - name: Login to registry
-        run: |
-          buildah login -u '${{ secrets.REGISTRY_USERNAME }}' -p '${{ secrets.REGISTRY_PASSWORD }}' "$REGISTRY_HOST"
-
       - name: Resolve deployment settings
         run: |
           IMAGE="$REGISTRY_HOST/$PROJECT_NAME:$IMAGE_TAG"
+          BUILD_JOB="image-build-${GITHUB_SHA:0:12}"
           {
             echo "IMAGE=$IMAGE"
+            echo "BUILD_JOB=$BUILD_JOB"
             echo "PROJECT_NAMESPACE=$PROJECT_NAMESPACE"
             echo "PROJECT_DEPLOYMENTS=$PROJECT_DEPLOYMENTS"
           } >> "$GITHUB_ENV"
 
-      - name: Build and push image
+      - name: Build and push image in-cluster
+        env:
+          REPO_TOKEN: ${{ github.token }}
         run: |
-          buildah bud --storage-driver "$STORAGE_DRIVER" --network host -t "$IMAGE" .
-          buildah push --storage-driver "$STORAGE_DRIVER" "$IMAGE" "docker://$IMAGE"
+          cat <<EOF | kubectl apply -f -
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: ${BUILD_JOB}
+            namespace: ${PROJECT_NAMESPACE}
+          spec:
+            backoffLimit: 0
+            ttlSecondsAfterFinished: 3600
+            template:
+              spec:
+                restartPolicy: Never
+                volumes:
+                  - name: workspace
+                    emptyDir: {}
+                  - name: registry-creds
+                    secret:
+                      secretName: unrip-registry-creds
+                      items:
+                        - key: .dockerconfigjson
+                          path: config.json
+                initContainers:
+                  - name: checkout
+                    image: alpine/git:2.47.2
+                    env:
+                      - name: REPO_TOKEN
+                        value: ${REPO_TOKEN}
+                      - name: REPO_CLONE_URL
+                        value: ${REPO_CLONE_URL}
+                      - name: GITHUB_SHA
+                        value: ${GITHUB_SHA}
+                    command: ["/bin/sh", "-lc"]
+                    args:
+                      - >-
+                        git clone --depth=1 "https://oauth2:${REPO_TOKEN}@${REPO_CLONE_URL#https://}" /workspace &&
+                        cd /workspace &&
+                        git fetch --depth=1 origin "${GITHUB_SHA}" &&
+                        git checkout --detach "${GITHUB_SHA}"
+                    volumeMounts:
+                      - name: workspace
+                        mountPath: /workspace
+                containers:
+                  - name: kaniko
+                    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+                    args:
+                      - --context=/workspace
+                      - --dockerfile=/workspace/Dockerfile
+                      - --destination=${IMAGE}
+                      - --cache=true
+                    volumeMounts:
+                      - name: workspace
+                        mountPath: /workspace
+                      - name: registry-creds
+                        mountPath: /kaniko/.docker
+          EOF
+          kubectl -n "$PROJECT_NAMESPACE" wait --for=condition=Complete --timeout=20m "job/$BUILD_JOB"
+          kubectl -n "$PROJECT_NAMESPACE" logs "job/$BUILD_JOB"
 
       - name: Roll deployments to new image
         run: |